Ariel Evans, the CEO of Cyber Innovative Technologies and Author of the new book, "Managing Cyber Risk" appeared on Episode #82 of Task Force 7 Radio this week, with host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, and Co-host Tom Pageler Chief Security Officer of BitGo, Inc. to talk about how to measure cyber risk on your digital assets.
Over 85% of businesses now are in digital form compared to 10% in 2001. Evans, who is an expert in measuring and mitigating cyber risk in organizations, talks about how to identify your digital assets, what types of cyber risk maturity models companies should be embracing, and how you should calculate the financial exposure and regulatory risk of a specific digital asset.
She also defines cyber resiliency, why you should use a digital asset approach to cyber resiliency, and how a company can become more cyber resilient by implementing a proper risk prioritization strategy. She wraps up the show by talking about what professionals should be thinking about when measuring the efficacy of a cyber security program, how you should calculate these metrics, and how to properly use them properly with key stakeholders.
Demystifying Cyber Security For The Business
“I was fascinated by it because the business is mystified by cyber. It is like the bogey man, cyber. It is not that scary if you really understand it, but the question is how many people really truly take the time to understand it? So, that's somewhat how I became involved in it,” said Evans.
Evans then talked about some of the key findings in the research for her book. These included:
- Cyber is really a business issue. That’s because the Board is the risk owner, and cyber events are now among the top three triggers for derivative actions, meaning that the directors and officers are personally liable for cyber events. That became somewhat of a big game changer. Then we saw GDPR in the EU.
- Enterprises need to know that 85% of their business is a digital asset. “That means 85% of your business value is digital. Gartner's been talking a lot about digitization lately, how you need to align digital assets to the M&A piece as well as the risk, which is good, people are finally starting to get that,” said Evans.
- Enterprises run on an assumption of breach model to say where it's not, ‘Oh, I haven't been breached.’ Instead, it's you have been breached and you will be breached again. “Everyone teaches that model; every university teaches that model,” added Evans.
- Maturities of organizations are all over the place. Some are pervasive and super mature, making it an enterprise risk initiative. Then there are organizations that are still in firewalls and servers and closets. So, there is a really big disparity in maturity and it’s pervasive around different organizations and how they look at it.
- Things are only going to get worse. We are living in an age of internet activity and innovation where everyone is now a fintech, a teltech and an insurtech. What is this? This is taking innovation technologies, which are digital assets, and making solutions out of them. We have IoT, middleware that connects the federal banks with the acquiring banks, we have regulation now where we're seeing each of the states enacting privacy laws, everyone’s outsourcing, only 40% of companies are now on premise, everyone is putting everything in the cloud … “it’s a perfect storm basically,” said Evans.
Digital Transformation Comes With Greater Risk
Rettas and Evans talked about digital transformation at enterprises and how companies need to understand that “as you continue to transform into more of a digital organization that means your risk has exponentially grown. Because you've been using point solutions to try and have a cyber security program, you've only been looking at the tool side of it,” explained Evans.
As an example, the industry is 2 million resources short in the U.S. alone in terms of skilled cyber security professionals. It is going to be 3.5 million in another year and a half. It is growing so large because companies are finally realizing that they are not spending enough on cyber with the people part of it, because cyber is people, process and tools.
So, if you don’t know what your digital assets are, you won’t know how to protect and secure it. It is like any business that does not do an inventory — it will eventually go out of business, and cyber is no different. Evans added, “We really have to inventory those assets and know what they are.”
Pageler reiterated that universities are starting to teach more of a risk-based approach where it is not “if” we will be breached, but “when”. And so, he agreed with Evans that you can’t secure everything. But what you should be doing is putting resources to mitigate risk down to more acceptable levels based on the impact.
See Related: “Implementing A Risk-Based Cyber Security Framework”
And when it comes to cyber security budget, Evans believes that it should be treated as a separate line of business, not “some one legged step-child of IT.” The idea is similar to your home budget: You have a car expense that is fixed, you have a mortgage expense that is fixed, you have a vacation fund, and it's variable. Cyber security needs to be thought of the same way – by looking at the fixed costs (your operational costs, your CISO, your stock analyst, your pentester, etc.), and the variable costs (all the things that happen to you that are unexpected).
Rettas commented on organizational change and how transformation like this can be a challenge. He asked “What do you think companies need to change to increase their ability to manage cyber risk more effectively?” According to Evans:
- First, look at the governance structure of the organization (the reporting structure) to make sure that the roles and responsibilities are clearly defined and correct.
- Make sure there is a single person of accountability for the cyber security program because the tone at the top has to be set that cyber is a culture.
- Understand where you are in the maturity spectrum, which is key to figuring out next steps.
“When you add in cyber risk context, strictly speaking, how are these digital assets typically in an organization?” Rettas asked. Evans continued with more tips on getting started:
- Understand what business you are in. What are your crown jewel assets? (For example, Equifax is in the business of data privacy with customer privacy information and credit scores as their crown jewels.)
- If something happens to your crown jewels, what could happen to you? (Equifax lost 25% of their stock price and they have never recovered.)
Defining Cyber Resiliency
Evans defines cyber resiliency as the ability of a company to continuously deliver the intended outcome in spite of an adverse cyber event. It is really used to benchmark and define the organizational goals in terms of cyber security. One of the ways to look at it is, there are two levels of risk that we can measure — one is inherent. That is the risk without controls. That's used in a number of different use cases with digital assets, such as quantifying how much cyber insurance a company should buy because you want to use the worst case scenario, which is what inherent is.
Then you have residual risk, which is the risk with the controls. In other words, how effective are those cyber security tools? How effective is that firewall? They lose their effectiveness 50% every two years if they are not tuned. It is the same with all cyber security tools. They have to be maintained, like a car.
So what you're looking at is this ebb and flow of information that you can actually utilize when something happens in your organization that impacts your digital assets, not only from the perspective of what should we do and how should we do it, and what kind of risk that looks like, but also looking at the effectiveness of, do we have the right tools, are they effective enough, should we buy another tool? These are the kinds of conversations that can happen around cyber resiliency.
So how can companies become more cyber resilient? Evans said:
- Have an effective strategy.
- Make sure you have the right organizational structure.
- Make sure you have the right budget.
- Know what your tool ROIs are.
- Know how your resource management is effective or not.
- Know how much vendor risk you have and how you can mitigate that down to a more acceptable level.
- Know how much cyber insurance you need.
Investigating Cyber Insurance
Evans talked about how much cyber insurance companies should actually buy. “This is a big thing we do with companies. It's actually usually the first part of the engagement that folks use our product for,” said Evans. “What they're asking is, the broker says that they should buy this, but they don't think it's right. Or the broker tells them that they do not know how much they should buy, which is really happening more and more often because what they do is, they say, ‘Well, if you guys are both banks, and you're both on Wall Street, you both have 5,000 employees and 40 bn in revenue, we'll sell you the same policy at the same price.’ That doesn't make any sense at all,” according to Evans.
“We don't do this in property and casualty insurance, we don't do this in flight insurance, we don't do this in any other kind of insurance sector but cyber, because they don't know how much insurance the company really should have. It's really based upon the way they pay the claim,” she said.
So, when you look at the digital assets approach, Evans said you can quantify based on how they actually pay the claim, which is data exfiltration. That is a fancy way of saying cyber criminals stole your data. An example of that is, you click on a phishing email and malware gets installed, and then all of a sudden, your data's being stolen and it's sold on the deep and dark web. That is data exfiltration. That is based on the number of records that your system processes, which is the digital asset.
See Related: “Insurance Industry To Bring Stability To Cyber Security?”
Another thing they pay for is business interruption, which is when you cannot complete the transaction. It's a process related metric. An example of that would be you want to buy a Mother's Day gift at Macy's and you go on the Macy's website to buy the gift. An attacker floods their web application server with traffic and the website gets shut down, and you can't buy the gift. That is something that cyber insurance companies will also pay for based on the revenue lost per what they call the denial service attack, which is what that is. That is usually a 48 hour lifecycle times the amount of revenue that's lost for that process.
Depending on how the policy is written, sometimes they will also pay for regulatory law. “So, if you don't understand how much you really should buy, then you're going to be like Target who had $100 mn policy, and now has over $1 bn worth of loss, which is more the norm than not. They're woefully under-insured and they don't know how much to insure themselves for,” explained Evans.
[inlinead-1]
Digital Asset Approach With Cyber Risk Metrics
Metrics are the language of the Board according to Evans. They want the KPIs and they want the metrics. They should not be cyber security experts, and nor should we come at them with cyber jargon and say denial of service attack, man in the middle, sequel injection, etc., because then they completely shut down. These are people who have been on the Board for 15 to 20 years, and this is new. So, we need to talk to them in their language.
That is where metrics are useful because you can get into the aforementioned use cases in terms of how much cyber insurance to buy, how many resources are needed, and the comparison to peers on the maturity scale.
Evans added, “We can get an idea both quantitatively from the financial exposure side by using digital assets, and also qualitatively from the risk scoring based on digital assets to look across which digital assets are more inherently risky and why, and then, shouldn't we be monitoring those, because they're inherently more risky than others? The answer's yes, you should. They are your prized assets, they are your crown jewels in some cases and that makes sense. So, it's really important to pull it all together from an internal perspective, and be proactive about your risk management program.”
Rettas asked about the Board report, “how should we put these to use properly? I'm not a fan of giving a lot of metrics to the board, I think the board wants to hear stories that they can relate to and you did mention, speaking the language of the business, I think a language they understand. But also when you talk to finance, when you talk to risk, when you talk to the line of business folks, how do you use these properly in terms of inherent and residual risk and things like that?”
First Evans said, you tell the Board what they need to know. They need to know how effective the program is and where there needs to be more resources, more attention paid. They need to know what the crown jewel assets of the business are. You also want to be able to tell the Board a story with metrics:
“Okay, on a scale of 0-5, last year we were 2.5% resilient, our goal is to get 3.2% resilient. As a direct result, we put in place a data privacy program, we hired a new data privacy officer, we integrated in our risk management system with the ERM, so our cyber risk management, and our enterprise risk management are now talking to each other. We've put together a series of important metrics that we review each and every quarter with you, so that you can understand how effective our program is, and then we can have conversations around pivoting it if necessary, that would be appropriate for you to be involved in the conversation with us," explained Evans.
The Changing InfoSec Space
Evans explained the changing information security space as the good, the bad and the ugly. There are some interesting things that are going to make cyber better and then some will make it more challenging, such as IoT where a lot of times security is not baked in.
She predicted that as customers move more and more towards the cloud, then we’ll see more transparency between the cloud service provider and the customer. Then there is quantum – once that happens, we are going to see PKI infrastructures become obsolete, according to Evans. And if quantum is really happening in 5 to 10 years, what do we do in terms of security control? Here are some more of her predictions:
- With blockchain, I am not impressed yet with any security solutions anyone's come out with. It's a lot of hype frankly, and blockchain is more of a trust model. It's great for smart contracts and more of a business application, but not from a cyber control perspective.
- AI is going to be very interesting because we are seeing all kinds of different use cases around how can we replace the human component of the cyber security process. Whether it be remediation, whether it be identification of certain types of assets, whether it be looking at it from a data cleansing perspective, there is all these kind of use cases around AI that are terrific and we actually incorporate AI into our application today.
Evans closed the show by talking about her upcoming new product launch, her cyber education services business and course offerings, as well as her upcoming book launch. Evans noted that everything she talks about has to do with cyber risk, including helping CISOs understand how to talk to the Board.
“What we want them to understand is, we need to talk in the language of the Board. The Board has the fiduciary duty to protect the business assets, and they can only do that with the right kind of metrics to make the right kind of business decisions,” closed Evans.
See Related: “The Economic Side Of Cyber Security Risk Management”
The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub.
To listen to this and past episodes, click here.